@cyberhub/trust-axios 1.0.3 → 1.0.5

package/README.md

@@ -1,8 +1,8 @@
 # Security Trust Report: axios
 
-**axios@1.14.0: 62/100 | Grade: C+ | Tier: STANDARD** (confidence: ±3)
+**[axios@1.14.0](https://www.npmjs.com/package/axios): 64/100 | Grade: C+ | Tier: STANDARD** (confidence: ±3)
 
-> Data verified on 2026-04-02 from 8 security databases.
+> Scanned on 2026-04-03 from 8 security databases. [View package on npm →](https://www.npmjs.com/package/axios)
 
 ## TL;DR
 
@@ -19,14 +19,14 @@ CVE-2023-45857: CSRF token theft via cookie exposure. CVE-2024-28849: SSRF vulne
 ```
 Maintainer Trust:  ████████████████░░░░ 80/100
 Package Health:    ██████████████████░░ 89/100
-Supply Chain:      ████░░░░░░░░░░░░░░░░ 19/100
+Supply Chain:      █████░░░░░░░░░░░░░░░ 26/100
 Community:         ██████████░░░░░░░░░░ 48/100
 ```
 
 ### Why this score?
 
-- Supply Chain is 19 because: 1 known CVEs, in breach database, risky dependencies
-- Community is 48 because: no GitHub repo found
+- Supply Chain is 26 because: 1 known CVEs, in breach database, risky dependencies
+- Community is 48 because: no public GitHub repo linked (may be private or on another platform)
 
 ## Vulnerabilities (1 vulnerability)
 
@@ -39,10 +39,9 @@ Community:         ██████████░░░░░░░░░░
 
 ## Key Risk Flags
 
-- 🔴 **CRITICAL**: RECENT-ISH BREACH: CSRF token theft CVE-2023-45857, SSRF via follow-redirects dependency CVE-2024-28849 (2023-2024)
-- 🔴 **CRITICAL**: 1 CRITICAL vulnerability(ies) from live CVE databases
+- 🔴 **CRITICAL**: RECENT-ISH BREACH: CSRF token theft CVE-2023-45857, SSRF via follow-redirects dependency CVE-2024-28849 (2023-2024) ([evidence](https://nvd.nist.gov/vuln/detail/CVE-2023-45857))
+- 🔴 **CRITICAL**: 1 CRITICAL vulnerability from live CVE databases
 - 🟠 **HIGH**: 1 direct dependencies have known security issues
-- 🟠 **HIGH**: Depends on "follow-redirects" which has SSRF CVE-2024-28849
 
 ## 🛠️ What Should You Do?
 
@@ -54,15 +53,15 @@ Community:         ██████████░░░░░░░░░░
 
 ## 🔄 Safer Alternatives
 
-| Package | Why | Trust Report |
-|---------|-----|-------------|
-| **got** | No known breaches, better error handling | [View score](https://nrupak.com/trust/got) |
-| **node-fetch** | Lightweight, fewer dependencies | [View score](https://nrupak.com/trust/node-fetch) |
-| **undici** | Node.js built-in HTTP client (Node 18+) | [View score](https://nrupak.com/trust/undici) |
+| Package | Why | npm | Trust Score |
+|---------|-----|-----|-------------|
+| **got** | No known breaches, better error handling | [npm](https://www.npmjs.com/package/got) | [View score](https://nrupak.com/trust/got) |
+| **node-fetch** | Lightweight, fewer dependencies | [npm](https://www.npmjs.com/package/node-fetch) | [View score](https://nrupak.com/trust/node-fetch) |
+| **undici** | Node.js built-in HTTP client (Node 18+) | [npm](https://www.npmjs.com/package/undici) | [View score](https://nrupak.com/trust/undici) |
 
-## Maintainers
+## Maintainers (1)
 
-- [jasonsaayman](https://nrupak.com/trust/maintainer/jasonsaayman) ✅ 2FA (org)
+- [jasonsaayman](https://www.npmjs.com/~jasonsaayman) ✅ 2FA (org email) — [Trust profile](https://nrupak.com/trust/maintainer/jasonsaayman)
 
 **Methodology:** 18+ signals across 4 categories (Maintainer 35%, Package 25%, Supply Chain 25%, Community 15%). [Full scoring docs →](https://nrupak.com/trust)
 
@@ -73,4 +72,4 @@ Community:         ██████████░░░░░░░░░░
 
 *Report by [pkgtrust](https://nrupak.com/trust/axios) · [Dashboard](https://nrupak.com/trust) · [Compare](https://nrupak.com/trust/compare) · [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*
 
-*This is an automated security report. Not affiliated with the axios team. Updated 2026-04-02.*
+*This is an automated security report. Not affiliated with the axios team. Updated 2026-04-03.*

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@cyberhub/trust-axios",
-  "version": "1.0.3",
-  "description": "Security Trust Report: axios@1.14.0 — 62/100 (C+, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.",
+  "version": "1.0.5",
+  "description": "Security Trust Report: axios@1.14.0 — 64/100 (C+, standard). 1 vulnerability found. Maintainer risk, supply chain analysis from 8 security databases.",
   "keywords": [
     "axios",
     "axios",
@@ -30,5 +30,6 @@
     "type": "git",
     "url": "https://github.com/nrupaks/pkgtrust"
   },
-  "homepage": "https://nrupak.com/trust/axios"
+  "homepage": "https://nrupak.com/trust/axios",
+  "readme": "# Security Trust Report: axios\n\n**[axios@1.14.0](https://www.npmjs.com/package/axios): 64/100 | Grade: C+ | Tier: STANDARD** (confidence: ±3)\n\n> Scanned on 2026-04-03 from 8 security databases. [View package on npm →](https://www.npmjs.com/package/axios)\n\n## TL;DR\n\n- **1 vulnerability found** (1 critical, 0 high)\n- Consider switching to **got** (No known breaches, better error handling)\n- Pin your version and monitor for changes\n\n## ⚠️ Security Incident Background\n\nCVE-2023-45857: CSRF token theft via cookie exposure. CVE-2024-28849: SSRF vulnerability via follow-redirects dependency allowing proxy-authorization header leak. The North Korea-linked Lazarus Group targeted axios in typosquatting campaigns.\n\n## Score Breakdown\n\n```\nMaintainer Trust:  ████████████████░░░░ 80/100\nPackage Health:    ██████████████████░░ 89/100\nSupply Chain:      █████░░░░░░░░░░░░░░░ 26/100\nCommunity:         ██████████░░░░░░░░░░ 48/100\n```\n\n### Why this score?\n\n- Supply Chain is 26 because: 1 known CVEs, in breach database, risky dependencies\n- Community is 48 because: no public GitHub repo linked (may be private or on another platform)\n\n## Vulnerabilities (1 vulnerability)\n\n| Severity | Count |\n|----------|-------|\n| 🔴 Critical | 1 |\n\n- [CVE-2023-45857](https://nvd.nist.gov/vuln/detail/CVE-2023-45857)\n- [CVE-2024-28849](https://nvd.nist.gov/vuln/detail/CVE-2024-28849)\n\n## Key Risk Flags\n\n- 🔴 **CRITICAL**: RECENT-ISH BREACH: CSRF token theft CVE-2023-45857, SSRF via follow-redirects dependency CVE-2024-28849 (2023-2024) ([evidence](https://nvd.nist.gov/vuln/detail/CVE-2023-45857))\n- 🔴 **CRITICAL**: 1 CRITICAL vulnerability from live CVE databases\n- 🟠 **HIGH**: 1 direct dependencies have known security issues\n\n## 🛠️ What Should You Do?\n\n**Immediate:**\n- Upgrade to the latest version (`npm update axios`)\n- Or replace with [got](https://nrupak.com/trust/got)\n\n**Always:** Pin version, run `pkgtrust scan` in CI, monitor at [nrupak.com/trust/axios](https://nrupak.com/trust/axios)\n\n## 🔄 Safer Alternatives\n\n| Package | Why | npm | Trust Score |\n|---------|-----|-----|-------------|\n| **got** | No known breaches, better error handling | [npm](https://www.npmjs.com/package/got) | [View score](https://nrupak.com/trust/got) |\n| **node-fetch** | Lightweight, fewer dependencies | [npm](https://www.npmjs.com/package/node-fetch) | [View score](https://nrupak.com/trust/node-fetch) |\n| **undici** | Node.js built-in HTTP client (Node 18+) | [npm](https://www.npmjs.com/package/undici) | [View score](https://nrupak.com/trust/undici) |\n\n## Maintainers (1)\n\n- [jasonsaayman](https://www.npmjs.com/~jasonsaayman) ✅ 2FA (org email) — [Trust profile](https://nrupak.com/trust/maintainer/jasonsaayman)\n\n**Methodology:** 18+ signals across 4 categories (Maintainer 35%, Package 25%, Supply Chain 25%, Community 15%). [Full scoring docs →](https://nrupak.com/trust)\n\n**Check your project:** `npm i -g @cyberhub/pkgtrust && pkgtrust scan axios` — [CLI docs](https://npmjs.com/package/@cyberhub/pkgtrust)\n**Data Sources:** GitHub Advisories · OSV.dev · npm audit · Snyk · Socket.dev · npms.io · Bundlephobia · deps.dev\n\n---\n\n*Report by [pkgtrust](https://nrupak.com/trust/axios) · [Dashboard](https://nrupak.com/trust) · [Compare](https://nrupak.com/trust/compare) · [CLI](https://npmjs.com/package/@cyberhub/pkgtrust)*\n\n*This is an automated security report. Not affiliated with the axios team. Updated 2026-04-03.*"
 }